Bug#1137271: qt6-base-dev: non-deterministic generation of SPDX SBOM file
Gioele Barabucci
gioele at svario.it
Thu May 21 22:27:25 BST 2026
Source: qt6-base
Version: qt6-base_6.10.2+dfsg-13
User: reproducible-builds at lists.alioth.debian.org
Usertags: nondeterministic timestamps
X-Debbugs-Cc: reproducible-bugs at lists.alioth.debian.org
Dear Qt/KDE maintainers,
the SPDX SBOM file shipped in `qt6-base-dev`
(`/usr/lib/[…]/qt6/sbom/qtbase-6.10.2.spdx`) is generated in a
non-deterministic way.
The main symptom of this issue is that many `PackageVerificationCode`
and `FileChecksum` fields in that file change after each build. Also,
the varying SHA1 hashes reported in that file are different from the
SHA1 hashes of the files actually shipped in `qt6-base-dev`.
This is probably due to the fact that the `.a` files these fields refer
to are hashed by the SBOM tool before `dh_strip_nondeterminism` modifies
them to (successfully) fix all traces of nondeterminism (mainly timestamps).
One possible solution would be to patch the build system to clean the
`.a` files by calling `/usr/bin/strip-nondeterminism` (the standalone
version of `dh_strip_nondeterminism`) before the SBOM tool is run.
Kind regards,
--
Gioele Barabucci
More information about the Reproducible-bugs
mailing list